SSH-Weiterleitungsproblem. „Zugriff verweigert“

Ich habe gerade eine Linux-Bastion, nennen wir sie „bastion1“ (IP: 66.66.66.6), auf RHEL 8 erstellt, um eine ältere RHEL 6-Bastion „bastion0“ (IP: 77.77.77.7) zu ersetzen, die genau dieselbe Funktion erfüllt. Die beiden Server sind gleich konfiguriert (wir verwenden Salt zum Übertragen von Konfigurationen usw.). Das IPtables-Setup ist ebenfalls in Ordnung (alle erforderlichen Einträge wurden für die neue IP dupliziert usw.). Nehmen wir für dieses Problem an, dass meine VPN-IP 55.55.55.5 und mein Benutzername „user1“ ist.

Ich kann von meinem Linux-Laptop aus erfolgreich per SSH auf „bastion1“ zugreifen und dann von „bastion1“ aus per SSH auf andere Server in unserem Netzwerk (in diesem Beispiel nennen wir es „host1.ournetwork.com“). So weit, so gut.

Wir verwenden lokal (also auf meinem Laptop) eine Konfiguration, damit SSH durch die Bastion „springt“, um zu einem anderen Host zu gelangen. Das funktioniert nicht. Wenn ich „ssh host1.ournetwork.com“ sage, geht es zur Bastion, fragt nach meinem Login, akzeptiert es erfolgreich, versucht dann, zu „host1“ zu gelangen, und schlägt fehl. Es wird dieser Fehler ausgegeben …

channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

Beim Betrachten der Protokolle wird bei „host1“ überhaupt nichts angezeigt. „bastion1“ zeigt dies im sicheren Protokoll …

Dec 29 17:25:23 bastion1 sshd[607500]: Accepted password for user1 from 55.55.55.5 port 39028 ssh2
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Dec 29 17:25:23 bastion1 sshd[607505]: error: connect to host1.ournetwork.com port 22 failed: Permission denied
Dec 29 17:25:23 bastion1 sshd[607500]: pam_unix(sshd:session): session closed for user user1

Selbstverständlich habe ich die konkreten Angaben anonymisiert.

Meine lokale SSH-Konfigurationsdatei enthält diese Einträge …

# US2 bastion.
Host bastion1
 HostName 66.66.66.6
 User user1
 port 22
 ForwardAgent yes
 Pubkeyauthentication yes
 CertificateFile ~/.ssh/id_rsa-cert.pub

Host *.ournetwork.com
 ProxyCommand ssh -A -W %h:%p bastion1
 port 22
 User user1
 Pubkeyauthentication yes
 CertificateFile ~/.ssh/id_rsa-cert.pub

Wenn ich also lokal „ssh host1.ournetwork.com“ eingebe, versucht es, per SSH eine Verbindung zu „bastion1“ (66.66.66.6) herzustellen und fragt nach einem Passwort. Nach erfolgreicher Authentifizierung springt es zu „host1.ournetwork.com“, wo es erneut nach meinem Passwort fragt. Dieses Setup hat mit unserer aktuellen rhel6-Bastion lange Zeit erfolgreich funktioniert. Nehmen wir an, die IP-Adresse war „77.77.77.7“. Nachdem „bastion1“ online gegangen war, habe ich also lokal nur die IP-Adresse in meiner lokalen SSH-Konfiguration von 77.77.77.7 auf 66.66.66.6 geändert.

Folgendes bekomme ich, wenn ich jetzt versuche, eine SSH-Verbindung herzustellen ...

→ ssh host1.ournetwork.com

                       WARNING!
========================================================
 All access to this machine is monitored. The following
 actions are criminal offences and it is our company
 policy to prosecute against:
 ** Unauthorised access to this computer
 ** Unauthorised viewing, copying or deleting data
 ** Unauthorised tampering of data
 ** Unauthorised use of this computer to access other computers.

========================================================

[email protected]'s password: 
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

Folgendes sollte ich sehen und Folgendes sehe ich bei Verwendung der alten Bastion „bastion0“ …

→ ssh host1.ournetwork.com

                       WARNING!
========================================================
 All access to this machine is monitored. The following
 actions are criminal offences and it is our company
 policy to prosecute against:
 ** Unauthorised access to this computer
 ** Unauthorised viewing, copying or deleting data
 ** Unauthorised tampering of data
 ** Unauthorised use of this computer to access other computers.

========================================================

[email protected]'s password: 

                       WARNING!
========================================================
 All access to this machine is monitored. The following
 actions are criminal offences and it is our company
 policy to prosecute against:
 ** Unauthorised access to this computer
 ** Unauthorised viewing, copying or deleting data
 ** Unauthorised tampering of data
 ** Unauthorised use of this computer to access other computers.

========================================================

[email protected]'s password: 
Last login: Tue Dec 29 17:01:29 2020 from 66.66.66.6

Ich vermute, dass ich einfach etwas Einfaches übersehe, aber ich kenne mich mit SSH-Tunneln usw. nicht so gut aus, daher kann ich nicht herausfinden, was ich übersehen habe. Was meinen Sie dazu?

---

Bearbeitet, um hinzuzufügen …

Ich dachte, jemand würde nach einer „-v“-Ausgabe fragen, also hier ist sie.

Folgendes sehe ich bei der Verwendung des neuen „Bastion1“ …

→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1

                       WARNING!
========================================================
 All access to this machine is monitored. The following
 actions are criminal offences and it is our company
 policy to prosecute against:
 ** Unauthorised access to this computer
 ** Unauthorised viewing, copying or deleting data
 ** Unauthorised tampering of data
 ** Unauthorised use of this computer to access other computers.

========================================================

[email protected]'s password: 
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

Folgendes sehe ich bei der Verwendung von „bastion0“, was tatsächlich funktioniert …

→ ssh -v host1.ournetwork.com
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 30: Applying options for *.ournetwork.com
debug1: /home/user1/.ssh/config line 51: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec ssh -A -W host1.ournetwork.com:22 bastion1
debug1: identity file /home/user1/.ssh/id_rsa type -1
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: identity file /home/user1/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: identity file /home/user1/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user1/.ssh/id_xmss type -1
debug1: certificate file /home/user1/.ssh/id_rsa-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1

                       WARNING!
========================================================
 All access to this machine is monitored. The following
 actions are criminal offences and it is our company
 policy to prosecute against:
 ** Unauthorised access to this computer
 ** Unauthorised viewing, copying or deleting data
 ** Unauthorised tampering of data
 ** Unauthorised use of this computer to access other computers.

========================================================

[email protected]'s password: 
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to host1.ournetwork.com:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:12Twz9Tp+BLbi91KWZ1gIyA3kNKns64hIK6BXkZcsls
debug1: Host 'host1.ournetwork.com' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:37
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Will attempt key: /home/user1/.ssh/id_rsa 
debug1: Will attempt key: /home/user1/.ssh/id_dsa 
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa 
debug1: Will attempt key: /home/user1/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/user1/.ssh/id_ed25519 
debug1: Will attempt key: /home/user1/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/user1/.ssh/id_xmss 
debug1: SSH2_MSG_SERVICE_ACCEPT received

                       WARNING!
========================================================
 All access to this machine is monitored. The following
 actions are criminal offences and it is our company
 policy to prosecute against:
 ** Unauthorised access to this computer
 ** Unauthorised viewing, copying or deleting data
 ** Unauthorised tampering of data
 ** Unauthorised use of this computer to access other computers.

========================================================

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Server accepts key: /home/user1/.ssh/id_rsa-cert.pub RSA-CERT SHA256:ABJwputoncHL/SXD48hdFTH7gomP59BQEJxW/gGNa28 explicit
debug1: Trying private key: /home/user1/.ssh/id_rsa
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug1: Trying private key: /home/user1/.ssh/id_ed25519_sk
debug1: Trying private key: /home/user1/.ssh/id_xmss
debug1: Next authentication method: password
[email protected]'s password: 
debug1: Authentication succeeded (password).
Authenticated to host1.ournetwork.com (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: proc
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Dec 29 18:25:58 2020 from 77.77.77.7